User education and security awareness as a whole is broken in its current state. It is best to find a way to demonstrate with the right type of metrics that you are successfully implementing change and producing a more secure line of defense. A large portion of the information security industry is focused on perimeter security. However, we are beginning to see a shift from strictly data-level protection to an increase in user-level security and reporting. The security as a process and defense-in-depth mentality must be filtered down and implemented into our user training.
Before you spend money on threat intel that may tell you how better to defend your specific sector, it would be best to start where everyone is being attacked. One of the largest threats today is the targeting of our weakest link: people. According to the 2015 Verizon Data Breach Investigations Report:
Phishing remains popular with attackers. Campaigns have evolved to include the installation of malware as the second stage of an attack. Our data suggests that such attacks could be becoming more effective, with 23% of recipients now opening phishing messages and 11% clicking on attachments. It gets worse. On average, it’s just 82 seconds before a phishing campaign gets its first click.
In this chapter we will demonstrate how to provide more value than the basic training offered in the majority of organizations.
The reason that most Security Awareness Training programs ...